Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

Microsoft Issues Multiple Critical Patches for Edge Browser

Microsoft January Patch Tuesday roundup includes four critical patches for its Edge browser.

Microsoft patched a bevy of critical bugs impacting its Edge browser that could allow an attacker to hijack a targeted PC simply by steering a victim to a rigged website harboring specially crafted exploit code. In all, Microsoft tackled four critical Edge vulnerabilities, part of the company’s first 2019 round of Patch Tuesday bug fixes.

Each of the browser bugs are memory corruption vulnerabilities. Three (CVE-2019-0539, CVE-2019-0568, CVE-2019-0567) are tied to Microsoft’s own JavaScript engine called Chakra Scripting Engine. The fourth (CVE-2019-0565) is a remote code execution vulnerability that exists when Edge improperly accesses objects in memory, according to Microsoft.

In total, Microsoft patched 49 vulnerabilities on Tuesday, seven listed as critical, 40 important and two ranked as moderate. Of particular interest is a Jet Database Engine remote code execution vulnerability (CVE-2019-0579) that was publicly known ahead of the patch, but not exploited in the wild.

According to the Microsoft security bulletin, to exploit the Jet vulnerability an adversary would first have to trick a victim to open a malicious file.

Another notable patch was for a Skype for Android elevation of privilege vulnerability (CVE-2019-0622) that could have allowed hackers to bypass authentication methods and access personal data on an Android device – simply by answering a Skype call to that device. Threatpost reported on the bug on Monday.

“Obviously, an attacker would need physical access to your phone to do this. According to published reports, a fix for this was included in the December 23 release of Skype, so this release is primarily documenting the details. Although Microsoft does not list this as publicly known, the researcher posted a YouTube video demonstrating the vulnerability back on December 31. To get the update, you’ll need to manually access the Google Play store and update the Skype app from there,” wrote Zero Day Initiative in its Patch Tuesday commentary.

Satnam Narang, senior research engineer at Tenable, noted in an email commentary to Threatpost:

“The most noteworthy vulnerability in today’s Microsoft Patch Tuesday release is a remote code execution flaw in the Windows DHCP client (CVE-2019-0547), which is the highest rated CVE this month. In order to exploit the vulnerability, an attacker would need to be able to send a specially crafted DHCP response to its target, allowing them to run arbitrary code on the client machine.”

The bug has a CVSS score of 9.8 and impacts the latest versions of Windows 10 (version 1803) and Windows Server (version 1803).

“There are also multiple elevation of privilege vulnerabilities in the Windows Data Sharing Service that were patched this month,” Narang wrote. “An attacker could use these vulnerabilities to elevate privileges while on an affected system. This follows the public disclosure via Twitter of a zero-day elevation of privilege vulnerability in the Windows Data Sharing service back in October.”

“That vulnerability continues to be exploited in the wild and Recorded Future has seen several exploit kits incorporate the released proof of concept code into their platforms. If you have not patched this vulnerability yet, it should be the number one priority,” Liska said.

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.